cvedb.io
CVE-2021-33604
LOW · CVSS 2.5
EPSS exploitation probability: 0%
Published 2021-06-24T12:15:08.157 · Last modified 2026-06-17T03:54:51.847

Summary

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.

Affected products

vaadin — flow-server

Does this affect you?

Add your gear to cvedb and we'll alert you only when vaadin ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.